Grid Dynamics Team

CloudPipe – setting up VPN for projects

Cloudpipe is a method for connecting end users to their project instances in VLAN mode. You can read more about CloudPipe in the official Developer Reference.

A few notes for successful setup:

First you need to decide how many addresses you want to be reserved for the VPN clients, specify this number using --cnt_vpn_clients flag before creating network, if you alter this flag, existing networks won’t be affected by this change. IP addresses for clients marked as reserved in database and won’t be allocated to instances.

Second, although, official documentations says that you must specify image id in --vpn_image_id flag using ami-xxxxxxxx format, this image id should be specified using decimal number, without the ‘ami-‘ prefix, so if you use euca-describe-instances command you need to convert the image id from hexadecimal representation to decimal.

After changing nova.conf and restarting nova’s services you can start particular cloudpipe instance using

$nova-manage vpn run <project_id> <user_id>

command. I case of any problems with your CloudPipe instance you can always connect through ssh to this instance using key stored in /var/lib/nova/keys/[user_id]/[project_id]-vpn.pem file, where [user_id] and [project_id] is your user and project ids respectively.

Connecting to VPN is relatively easy, all required certificates and keys are bundled using

$nova-manage project zipfile <project_id> <user_id>

command, to connect you can use provided nova-vpn.conf file, just pass it to openvpn command